A new version of Firefox was released today.
You can upgrade through the Help-Check for Updates feature.
The new version addresses three vulnerabilities, all rated “High,” which Mozilla defines as “Vulnerability can be used to interact gather sensitive data from other sites the user is visiting or inject data or code into those sites, requiring no more than normal browsing actions.” This is less serious than Critical, which entails remote code execution.
The three vulnerabilities are:
* 2007-37: jar: URI scheme XSS hazard: Several vulnerability scenarios are possible with the jar: URI scheme, which is intended to support signed pages in a jar file. Henceforth, these files may only be served with a Content-Type header of application/java-archive or application/x-jar.
* 2007-38: Memory corruption vulnerabilities: Three bugs can result in memory corruption that can cause program crashes. It may be possible that these could result in code execution, but this has not been demonstrated.
* 2007-39: Referer-spoofing via window.location race condition: It’s possible to fake the referer field by exploiting a timing issue in window.location. This could lead to a forgery attack in some cases.